Yet enabling certain kinds of encryption across different points of the network, rather than focusing solely on applications, can provide significant protection from the most advanced of attackers. But many still aren’t doing this, says Peter Wood, chief executive officer of security consultancy First Base Technologies.

“There’s no question that transmitting information in plain text remains a significant vulnerability in most organisations. As ethical hackers, we often start our client engagements by examining network data and discovering significant information from a simple packet-sniffing exercise,” says Wood.

Transmitting information in plain text remains a significant vulnerability in most organisations

Peter Wood, First Base Technologies

“Providing layer 2 encryption at the switch and router would make our activities a lot harder, and thus also the criminal’s life in a real-world attack. Everyone is used to the idea of SSL for web-based transactions, but little thought is given to encrypting internal traffic or indeed to other types of traffic on the internet.”

IPsec, otherwise known as Internet Protocol Security, includes a set of cryptographic services to protect communications, encrypting each IP packet going between network systems, whether that’s the router or the client. These services include Authentication Header (AH), which covers authentication, and Encapsulating Security Payload (ESP), which covers both authentication and encryption.

IT chiefs can turn on a variety of features to boost their IPsec deployment too, including perfect forward secrecy, which will stop attackers getting at protected information if they have broken just one of the two keys involved in a handshake between two parties.

MACsec (Media Access Control Security) covers communication for all traffic on Ethernet links. It sees keys exchanged and verified between interfaces at each end of a point-to-point Ethernet connection. It does data integrity checks too, by checking appended 8-byte headers and 16-byte tails that are added to packets between points. Traffic is dropped if anything irregular has happened to those headers and tails.

It can be useful for identifying a range of security threats, including denial of service (DoS) and man-in-the-middle (MITM) attacks. MACsec is particularly useful for those Ethernet segments where data passes through an untrusted location, such as a public space between two buildings. MACsec runs at the native Ethernet line rate, at speeds up to 100gbps, according to Cisco, and switches achieve this performance through in-line encryption hardware.

High-performance encryption

Doing both IPsec and MACsec at the same time brings various benefits, according to Nick Williams, senior product manager at networking firmBrocade.

“Network-level encryption is not new, but now, thanks to concurrent advances in both encryption and semiconductor technologies, it is possible to encrypt at high performance, at scale and at a dramatically lower cost. This gives administrators a powerful tool to protect against violations in data security during data-in-flight transfers,” says Williams.

“A combination of IPsec and MACsec is often the ideal solution. IPsec provides encryption for data cloaking on networks that are vulnerable to snooping, ensuring information integrity when transiting on infrastructure not owned by your organisation.

“Meanwhile, MACsec encryption and visibility on your own network provide great flexibility, securing against denial-of-service attacks, identifying malevolent users within the network and applying policy for specific application requirements.”

Implementing both may bring certain latency problems, however. As IPsec encapsulates the traffic, with a form of information hiding, there might be some network performance impact and some routing issues, says Gartner research director Jeremy D'Hoinne. Yet most network firewalls have mature capabilities to deal with this, he adds.

Encryption strategy is weighted by a compromise between the need for confidentiality and the performance impact

Jeremy D'Hoinne, Gartner

“IPsec on an endpoint like a laptop is more complicated, however,” says D'Hoinne. “Organisations need to solve additional challenges, like sharing and updated secrets (pre-shared keys or certificates), with endpoints that can’t be reached all the time. Also, organisations need to be able to repudiate access from remote endpoints which have been compromised.

“Encryption strategy is weighted by a compromise between the need for confidentiality and the performance impact.”

If the business has overcome such issues and turned on encryption across their network layers, there’s little excuse to not ensure other business data is protected with similar tools.

“Of course data in transit is not the only issue. Organisations also need to invest in encryption at rest for their most sensitive and valuable information, both inside the business and in the cloud,” adds First Base Technologies' Wood. “Once this has also been addressed, the attack surface for most businesses will be reduced significantly.”

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy